From: Dr. David von Oheimb Date: Fri, 29 Jul 2022 09:31:39 +0000 (+0200) Subject: APPS: make sure the -CAfile argument can be in DER format X-Git-Tag: openssl-3.2.0-alpha1~960 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57c0205b4df7d612a0333415dfc0a845c22e7458;p=thirdparty%2Fopenssl.git APPS: make sure the -CAfile argument can be in DER format Note that PKCS#12 input is still not supported here- Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/18917) --- diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 69bf5b4e37b..6f9bf4a6c84 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -1379,8 +1379,12 @@ X509_STORE *setup_verify(const char *CAfile, int noCAfile, if (CAfile != NULL) { if (X509_LOOKUP_load_file_ex(lookup, CAfile, X509_FILETYPE_PEM, libctx, propq) <= 0) { - BIO_printf(bio_err, "Error loading file %s\n", CAfile); - goto end; + ERR_clear_error(); + if (X509_LOOKUP_load_file_ex(lookup, CAfile, X509_FILETYPE_ASN1, + libctx, propq) <= 0) { + BIO_printf(bio_err, "Error loading file %s\n", CAfile); + goto end; + } } } else { X509_LOOKUP_load_file_ex(lookup, NULL, X509_FILETYPE_DEFAULT, diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod index 57b29dc5837..2a3fe8849a8 100644 --- a/doc/man1/openssl-verification-options.pod +++ b/doc/man1/openssl-verification-options.pod @@ -202,8 +202,8 @@ can be specified using following options. =item B<-CAfile> I -Load the specified file which contains a certificate -or several of them in case the input is in PEM or PKCS#12 format. +Load the specified file which contains a trusted certificate in DER format +or potentially several of them in case the input is in PEM format. PEM-encoded certificates may also have trust attributes set. =item B<-no-CAfile>